New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Is this a safe way to deal with password resets?
Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.
Looking at this tweet it looks like passwords are just being stored in plain text? Surely this is not a safe way to deal with password resets?
Comments
No it is not, but every little helps.
Even to hackers
I just send out the database to the client on password resets. It's easier. Just look for yours. It's all in plain text anyway because who likes database entries that can't be read?
hackers will still find ways
Based on the fact that they're saying "Passwords are stored in a secure way" I assume that means they're encrypting the passwords, which means they can then decrypt them for the purpose of the "forgot your password?" email.
It's fine and good to encrypt all the other personal information, but encryption is not the recommended way to store passwords. Instead it's better to hash, and more importantly, to hash properly, which from what I've seen with some of the recent database leaks, not many people know how to do.
If you can convert encrypted text back to plain text, it's not secure.
Well if you provide the customer with a temporary password and have them change the password through your control panel/system, then the password would only be known to them and in a encrypted form.
This is stupid, and they should be firing someone over it. If a hacker can get to your customer database, they can get the script with your password key in it. This is much much less secure than hashing.
There should never be password reminder emails. Hell, there should never be sign-up emails that contain your password, for that matter.
Forgotten your email? Then we'll email you a link to visit, that'll allow you to change your password.
Oh come on...an email with a generated password is fine. It's up to the user to change it. Let's not act like we're storing military secrets here.
They're not sending you an email with a generated password (which I agree is fine, but only if you're forcing the user to change that password immediately upon logging in)d. They're sending you an email with YOUR password, but claiming they still store your password securely. This means they're probably using symmetric-key encryption to store passwords, and there's a script or something on their site that's going to have a copy of their encryption key in it.
If someone explains a joke it isn't funny anymore
Anyway i wonder how that Tweet hasn't been deleted yet?
Looks like they are running out dated software and could not give a monkeys about security.
http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html